Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
x402 Agent Marketplace
v4.0.0Provide AI agent services paid via SOL micro-payments using the x402 HTTP 402 payment protocol with zero-custody, supporting 15 specialized AI agents.
⭐ 0· 763·2 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The manifest and README claim a runnable FastAPI marketplace (server.py, requirements.txt, dashboard, 15 agents) and even list a GitHub repository, but the published package contains only skill.json and SKILL.md. The skill metadata declares no required binaries or credentials while the instructions expect Python, pip, and a Solana wallet — these mismatches suggest the package is incomplete or misrepresented.
Instruction Scope
SKILL.md tells the operator to run 'pip install -r requirements.txt' and 'python server.py' and defines a payment flow that requires users to send SOL to a specific wallet and present a transaction signature in an HTTP header. The instructions therefore direct financial actions (sending funds to an address) and server execution, but do not provide the referenced files or any verification/escrow mechanisms. The payment flow could result in irreversible transfers to an unverified recipient.
Install Mechanism
There is no install spec in the package and no code files included, yet the instructions tell the user to install and run a Python server and to use ClawHub to install the skill. Because required artifacts (requirements.txt, server.py) are missing, following the install instructions will fail or require fetching external code. That mismatch increases risk: the instructions imply network installs and execution of code not bundled with the skill.
Credentials
The skill declares no required environment variables or credentials, but its operation depends on a Solana wallet and transaction signatures. It asks users to send SOL to a single wallet address (4D8jCkTMWjaQzDuZkwibk8ML34LSCKVCKS8kC6RFYuX) and include signatures in requests—effectively asking for funds and proof of payment without providing bundled verification code. Requesting fund transfers to an unverified address is disproportionate and potentially fraudulent.
Persistence & Privilege
The skill is instruction-only, has always:false, and does not request persistent system privileges or claim to modify other skills. There is no indication it attempts to install itself permanently or elevate privileges within the agent platform. However, because it instructs running a server (not included), manual installation could introduce other risks if external code is fetched.
What to consider before installing
Do not send SOL or run the provided curl/payment flow until you can verify the code and the wallet owner. The package you were given contains only SKILL.md and skill.json but instructs you to run server.py and install requirements that are not present — that inconsistency is suspicious. Before installing or running anything: 1) check the referenced GitHub repository (https://github.com/dahhan43-netizen/x402-agent-marketplace) and verify it contains the server, requirements, and a legitimate project history; 2) ask the publisher for the missing files and for proof the wallet address is controlled by the marketplace operator and audited; 3) avoid pip-installing or running unreviewed code from the network; and 4) treat any instruction that asks you to transfer cryptocurrency to a single address as high-risk unless you have an independent way to verify the recipient and the escrow/payment verification logic.Like a lobster shell, security has layers — review code before you run it.
latestvk9751k8g6t6t0dpkf05zhhq4a181cq4q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.